SesameOp Backdoor Uses OpenAI API for Covert C2

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Malware used in a months-long attack demonstrates how bad actors are misusing generative AI services in unique and stealthy ways.November 4, 2025A new backdoor uses an OpenAI API for command-and-control (C2) communications to covertly manage malicious activities within a compromised environment, demonstrating a unique way attackers can abuse generative AI services and tooling.Researchers from Microsoft's Detection and Response Team (DART) team discovered a backdoor dubbed "SesameOp" in July after responding to a security incident in which threat actors lurked undetected in an environment for several months, according to a blog post published Monday by Microsoft Incident Response. The covert backdoor, designed by threat actors to maintain persistence and allow them to manage compromised devices, is "consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes," according to the post.A unique aspect of SesameOp, however, is a component that uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs. The API is a tool that allows developers to create custom AI assistants using Azure OpenAI models, enabling features like conversation management and task automation."Our investigation uncovered how a threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure for issuing and receiving instructions," according to the post.Related:SonicWall Firewall Backups Stolen by Nation-State ActorThe attacker also employed other "sophisticated techniques" in its use of the API to secure and obfuscate C2 communications. These included compressing payloads to minimize size and using both layered symmetric and asymmetric encryption to protect command data and exfiltrated results.Microsoft researchers provided a deep dive into the attack and misuse of OpenAI in the blog post. After DART responded to the July incident, its investigation found a "complex arrangement of internal web shells," each of which was responsible for running commands relayed from persistent, strategically placed malicious processes, according to the post. These processes leveraged multiple Microsoft Visual Studio (VS) utilities that had been compromised with malicious libraries, "a defense evasion method known as .NET AppDomainManager injection," according to the post.It was when attackers were hunting across other VS utilities loading unusual libraries that they discovered additional files that could facilitate external communications with the internal Web shell structure, including SesameOps. The overall infection chain of the backdoor is comprised of a loader (Netapi64.dll) and a NET-based backdoor (OpenAIAgent.Netapi64) that leverages OpenAI as a C2 channel, according to the post. Related:Nikkei Suffers Breach Via Slack Compromise"The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API," according to the post. "Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable."Microsoft's DART informed OpenAI of their findings and the two companies jointly investigated this misuse of the API. What they found is that it did not represent a vulnerability or misconfiguration of the tool, "but rather a way to misuse built-in capabilities of the OpenAI Assistants API," which itself will be phased out in August 2026, according to the post.OpenAI has since identified and disabled an API key and associated account believed to have been used by the threat actor as part of SesameOps. "The review confirmed that the account had not interacted with any OpenAI models or services beyond limited API calls," according to Microsoft Incident Response. Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksMicrosoft and OpenAI said they will continue to collaborate to achieve a better understanding of how threat actors misuse emerging technologies so as to disrupt these efforts. Indeed, APIs can hold the keys to the kingdom for generative AI services and applications, and attackers have been quick to misuse and abuse them since the inception of the technology. In the meantime, Microsoft Incident Response offered several mitigations for defenders and recommended that organizations frequently audit and review firewalls and Web server logs, and be aware of all systems exposed directly to the Internet. They also should use a local firewall, intrusion prevention systems, and a network firewall to block C2 server communications across endpoints whenever feasible. "This approach can help mitigate lateral movement and other malicious activities," according to the post. Defenders also should review and configure perimeter firewall and proxy settings to limit unauthorized access to services, including connections through non-standard ports, according to Microsoft.Elizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.